Proofpoint published new research this week on the state of email authentication among India’s Fortune 100 companies, and the headline number cuts against the usual narrative. Adoption is not the problem. Ninety-seven percent of these companies have published a DMARC record. What Proofpoint found instead is an enforcement gap: 41% of them have stopped at a policy that monitors or quarantines suspicious mail rather than one that rejects it outright. Only 59% have moved to p=reject, the setting that actually instructs receiving mail servers to refuse messages that fail authentication.
That distinction, between publishing a record and enforcing a policy, is not a technicality. It is the difference between a domain that looks protected in a compliance checklist and one that is actually protected in a phishing inbox.
A Record Is Not a Policy
DMARC has three meaningful policy settings: p=none, which asks receiving servers to do nothing but report back on failures, p=quarantine, which asks them to route suspicious mail to spam, and p=reject, which asks them to refuse it outright. A domain sitting at p=none still generates aggregate reports and still shows up in an audit as “having DMARC,” but it authorizes nothing to actually be blocked. Attackers spoofing that domain get exactly the same delivery odds they would have gotten with no DMARC record at all.
Proofpoint’s finding that 41% of Fortune 100 India companies have not reached p=reject means that more than a third of the country’s most recognizable, most trusted corporate brands, the names customers already extend default trust to, are still leaving that trust unguarded. A fraudulent invoice email, a fake HR notice, a spoofed customer service message using the exact domain of one of these companies has a real chance of landing in an inbox unfiltered, because the policy in place does not tell receiving servers to stop it.
Why the Largest Companies Are the Highest-Value Targets
Proofpoint’s India country manager put the underlying logic plainly: these enterprises are among the most trusted names in the country’s digital economy, and that trust is precisely what makes them attractive targets. A phishing email impersonating an unknown small business gets scrutinized. A phishing email impersonating a Fortune 100 bank, telecom, or retailer benefits from years of accumulated brand recognition working in the attacker’s favor before the recipient reads a single word of the message.
The research also points to AI as the accelerant. Proofpoint’s warning is that AI is enabling threat actors to impersonate trusted brands at a scale and speed not seen before, generating convincing lookalike content and targeted lures far faster than manual campaigns ever could. Scale multiplies against whatever gap exists in a domain’s authentication policy. A 41% enforcement gap among the country’s largest companies is not a rounding error at that scale, it is a standing invitation.
Enforcement Is a Project, Not a Setting
The reason so many organizations stall at p=none or p=quarantine is rarely indifference. It is the fear of blocking legitimate mail. A company’s domain often sends through a payroll vendor, a CRM, a marketing platform, a support ticketing system, and half a dozen other third-party services, each of which needs to be identified and authorized with SPF and DKIM before a reject policy is safe to flip on. Skip that inventory step and enforcement risks silently dropping a real invoice or a real password reset alongside the fraudulent ones. That risk, not apathy, is what leaves so many well-resourced companies parked at monitoring mode indefinitely.
The fix is not complicated, but it does require someone to actually read the aggregate reports DMARC produces at p=none, identify every legitimate sending source, and authorize it, before graduating the policy. Skipping straight to p=reject without that visibility is how legitimate mail gets caught in the crossfire. Skipping enforcement altogether, indefinitely, is how the fraud gets through instead.
The Takeaway
Proofpoint’s numbers describe exactly the gap that has defined DMARC adoption for years now: publishing a record is easy, and most large organizations have already done it. Enforcing that record against real fraud attempts is the part that gets postponed, sometimes for years, while the domain sits exposed under the cover of appearing protected. If you serve customers who already trust your brand, that gap is precisely what a spoofed email is counting on.
Having a DMARC record is not the same as enforcing one. Sign up for free to Excello Mail and get the visibility you need to move your domain from monitoring to a fully enforced reject policy with confidence.